Help understanding how bypassing keysystem's work

redirect web traffic? idk

Most key systems aren't secure, as the client (for the most part) validates that the user has a valid license, either directly or indirectly. Some key systems use hardware ID for authentication, others may use a GUID, maybe a random string, the Roblox user ID, etc. These are just a few examples that a developer may use to authenticate their client, and there's many ways a key system can be implemented. You'll need to conduct your own research to figure that out. Due to the nature of Lua (where you're not able to hide your code easily), some of the developers have resorted to using obfuscation, which is not secure either. There's a large number of methods to crack a key system, all of which depend on the method that's used to verify the client's integrity, forcing the attacker to think out of the box and reverse engineer the system.

Although you may have to conduct your own research, there are common ways key systems are cracked. I wrote these methods for you to read below. If you need any source examples, make sure to reply to me so I can provide some.

1. Replay attacks - These consist of "faking" the endpoint(s) that the client utilizes to verify the user's key. This allows the attacker to have full control over what data is transmitted to/from one endpoint to another. Let's say I'm the computer and I want to verify my user's key. I send a request to "example.com/api/v1/validate" with the payload '{ "key: "123456abcdefg" }'. The server replies with '{ "success": 'true', "valid": 'true" }'. I now know that the key is valid because the server says that it is. What can happen is that the attacker can create a host entry with the domain "example.com" that points to a rogue server instance that's self-hosted. Now all of the traffic goes to the local server, so this rogue server can be programmed to relay all the data to "example.com," except when a key is being validated. When a request is being sent to "/api/v1/validate," the rogue server can reply saying that the key is valid without ever needing to contact the legitimate key server. The client can't tell the difference between them, so it proceeds to believe the key is valid when it's not. These types of attacks are actively used in the real world for not only cracking key systems, but for spoofing data sent between clients with a man in the middle. Replay attacks run at a much lower level than the other attacks.

2. Web request hooks - These are less sophisticated attacks. They simply hook web requests and replay the data. It works likewise with a replay attack, but there is no intercepting web server, rather the web request is checked by the hook's code and if there's a certain pattern in the request, it'll return a fake response. Web request hooking runs at the application level (Lua virtual machine), which is in a higher level than that of a replay attack. These attacks can be detected much easier, as it's done completely on the Lua virtual machine. One way this can be implemented is by hooking a function that makes a web request, such as game.HttpGet or syn.request, and returning fake responses when necessary. 

3. EQ inversing  - When messing with obfuscated code, equality (EQ) instruction inversing may work well. Lua runs a lower level form of itself as VM instructions. Think of this low level form of code as an intermediate language (IL), or bytecode, for short. This code is essentially machine code that the VM can understand. Most Lua obfuscators will emulate a virtual machine on top of the shared VM that you execute your scripts on. The goal is to find the equality instruction where it checks the server response, and flipping that. You're essentially turning your code from "response.valid == true" to "response.valid ~= true", which in turn makes the code proceed when the key is invalid. Many obfuscator VMs implement their custom forms of the Lua VM, so a bit of reverse engineering would need to be conducted to determine how the equality operator in that specific VM works, if it has one.

@nickk

i love you tysm

i dont know much about advanced ones but if its a key system getgenv() or local you can do

print(key) and print(Key) and see if they work

if its a shirt whitelist change your user id and name to a owner

if its a groupwhitelist do the same

@nickk

What I'm about to say could be very idiotic... but for a Replay Attack, would it theoretically be possible for the client to verify it's the correct server by checking for a certificate or something? I'm sure this could be bypassed as well, but is that a step of possible protection against a replay attack?

@Alternate That's a good question, and you are absolutely correct. That's the reason replay attacks can't be used in some cases. What an attacker could do to get circumvent protection through SSL is to issue a fake server certificate to use from their own rogue CA (which is free), then trusting that rogue CA on the target computer. I don't even know if you need a certificate authority; any certificate may work because I don't believe any validation is done on the custom HTTP request functions.

A much simpler task would be carrying out a replay attack through hooking any function that initiates an HTTP request in Lua and making it return a false response body, which would skip having to make a HTTP request, inevitably skipping the certificate validation step on low level code, as no server request would have to be made. This works because the validation code is completely done on Lua. This method may be easier to detect from Lua, but it's easier than setting up your own certificate authority and issuing false certificates.

Edit: It looks like (at least Script-Ware) validates HTTPS requests. I couldn't get it to work on a self-signed cert, so a CA would need to be created.

https://i.imgur.com/uO676g3.jpeg

@nickk

I thank you for your mass help but I am still confused on what tools I would portentially need for the more difficult types of attacks, For example: The request would need a CA Cert. I know its pretty much a little bit of lua but I have a feeling there is third part tools required for such proccesses. 

I have HTTP Toolkit/WireShark installed but that is for http requests and sniffing packets so I am doubtful they would be useful much.

@Finity It depends on what you're cracking and what method you want to use. I would try hooking HTTP request functions to see what's being done, then seeing if you can spoof the returns, which is easier than setting up a lower level replay attack.

@nickk

Alright. I have gotten a script by sending a get request and then writing the body to txt, Now all Im trying to do is crack the whitelist system as there is keys that is needed. They do give out a 30m free Trial Key of premium which is what Im using. Any suggestions to what tools or what to do at this point?

EDIT:

Ive looked through the gc for specifically functions:

for i,v in next, getgc() do --gets the lua garbage collector
         for i2,v2 in next, debug.getupvalues(v) do --gets the upvalues of the function
              if type(v2) == "function" then --specifies which function to target (Removed part to target just functions)
                   for i3,v3 in next, debug.getupvalues(v2) do --gets the upvalues of the function
                        print(i3,v3) --returns the upvalues
                   end
              end
         end
end

And Im seeing gc names for "Activated", Some really long strings and also functions (hex) (Not sure how to use these functions.)

What i mean:

https://imgur.com/0PZwdBS